Skip to main content
NetApp Knowledge Base

FAQ: NetApp Volume Encryption and NetApp Aggregate Encryption

Views:
13,470
Visibility:
Public
Votes:
5
Category:
ontap-9
Specialty:
core
Last Updated:

 

Applies to

  • Administration
  • ONTAP 9

Answer

Overview

NetApp Volume Encryption (NVE) is a software-based, data-at-rest encryption solution available starting with NetApp ONTAP 9.1 management software. NVE allows ONTAP to encrypt data and to have that data stored on disk without requiring self-encrypting drives. NVE also allows customers to use storage efficiency features that would be lost if the customer decided to encrypt at the application layer. Customers can use any existing disk with NVE, which also includes NetApp Storage Encryption (NSE) drives for double or layered encryption. NVE and NAE are the only option available for encrypting data in NetApp MetroCluster software and ONTAP Select.

Starting with ONTAP 9.6, NetApp Aggregate Encryption (NAE) is an enhancement of the software-based NVE data-at-rest solution that allows ONTAP to encrypt data for each volume with the keys shared for the aggregate. NAE enables you to use aggregate deduplication for greater storage efficiency.

  1. Solution Overview

NVE and NAE are composed of a software cryptographic module (CryptoMod), encryption keys, and a key manager.

  1. Software CryptoMod

The software CryptoMod performs the data encryption operations and generates encryption keys for the volumes (see Figure 1).

Figure 1) NVE and NAE encrypt/decrypt flow



The CryptoMod performs the data encryption at the RAID layer, which allows the storage efficiencies to work. After a read operation, data is unencrypted when the data leaves the RAID layer.

  1. Encryption Keys

With NVE a unique XTS-AES-256 data encryption key is generated for each volume. With NAE, unique XTS-AES-256 data encryption keys are generated per aggregate to encrypt NAE volumes.  When using the onboard key manager (OKM), an encryption key hierarchy is used to encrypt and protect all volume or aggregate keys. These encryption keys are never displayed, shown, or reported in an unencrypted format.

  1. Key Manager

The encryption keys are stored within the key manager, which keeps track of all the encryption keys used by ONTAP. The key manager can be the onboard key manager (OKM) or an external key manager that uses the OASIS Key Management Interoperability Protocol (KMIP).

  1. Comparison with NetApp Storage Encryption

NSE requires all drives in an HA pair to be purpose-built, self-encrypting drives. These drives perform the data encryption themselves through a hardware-accelerated mechanism. Because of the hardware acceleration, NSE systems usually outperform NVE systems when encrypting data.
NSE drives are FIPS 140-2 level 2 validated, and the CryptoMod used by NVE and NAE are FIPS 140-2 level 1 validated. FIPS 140-2 level 1 is the highest attainable level for a software module.

Requirements
  1. Are there any platform requirements?

Yes. NVE and NAE require that the controller CPU provide an offload called AES-NI. The controllers that have the required offload are FAS2620, FAS2650, FAS6280, FAS6290, FAS8020, FAS8040, FAS8060, FAS8080, FAS8200, FAS9000, AFF A200, AFF A300, AFF A700, AFF A700s, and all new controllers introduced with ONTAP 9.1 and later.

  1. In addition to a platform, what else do I need to run NVE and NAE?

You need an ONTAP software image that can encryptand the NVE software license. ONTAP images that are not capable of encrypting data are marked with a special extension.

  1. Is NVE and NAE a licensed feature?

Yes, it is, for global trade compliance purposes.

  1. I understand that ONTAP 9.1 includes NVE, which has cryptographic functions. What if I'm selling to a customer in a country where export control policies prevent the export of strong cryptographic algorithms?

ONTAP has two different builds: the normal build and a no data at rest (NODAR) encryption build. The NODAR builds are distinguishable by the word nodar in the version string of the version -v or run local version command.

  1. Which key managers are compatible or available with NVE and NAE?

With ONTAP 9.3, the onboard key manager (OKM) and external KMIP servers are available for NVE and NAE.

  1. What if I have an existing NSE system with an external KMIP key manager and want to use NVE and NSE as well?

With ONTAP 9.3, the external key manager can be used for both the NSE drives and NVE. NAE is introduced in ONTAP 9.6.

  1. Which external key managers are supported with NVE and NAE starting in ONTAP 9.3?

Refer to the Interoperability Matrix Tool (IMT).

  1. Must all of my volumes be encrypted, as required in NSE?

No. With NVE, you can choose which volumes are encrypted and which are not.  With an NAE aggregate, unencrypted volumes are not allowed.  All volumes on an NAE aggregate must be NAE encrypted or NVE encrypted. 

  1. Can I use NSE drives with NVE and NAE?

Yes. NVE and NAE allow you to add a layer of encryption on top of what the NSE drives already provide.

  1. Can I have NVE-capable and non-NVE-capable platforms in the same cluster and still use NVE and NAE?

Yes. You can have mixed platforms per the standard ONTAP platform mixing rules. Both platforms in the high availability (HA) pair must be NVE and NAE capable. The non-NVE-capable platforms in the cluster are not able to host encrypted volumes.

Architecture
  1. What is encrypted with NVE and NAE?

For NVE, data volumes, specifically NetApp FlexVol® volumes, metadata volumes (MDV) for MetroCluster, and existing controller root volumes (vol0) can be encrypted. Storage virtual machine (SVM) root volumes are not encrypted with NVE. For NAE, data volumes, storage virtual machine (SVM) root volumes, and Metadata Volume (MDV) for MetroCluster are encrypted.  Controller root volumes (vol0) are not encrypted with NAE. For both NVE and NAE, anything that is part of the data volume is encrypted, including NetApp Snapshot™ copies and clones.

  1. Are the NetApp storage efficiencies still maintained when NVE and NAE are used?

Yes. As depicted in the solution overview (section 1.1), CryptoMod performs data encryption at the RAID layer, which allows storage efficiencies to stay in place because they are performed before the encryption functions.

  1. Does NVE and NAE work with aggregate deduplication?

You can put NVE volumes in aggregated deduplicated aggregates. The NVE volumes do not participate in the aggregate deduplication savings; the NVE volumes are ignored.  NAE volumes do participate in aggregate deduplication savings.

  1. What type of algorithms do NVE and NAE use for encrypting data?

NVE and NAE data-at-rest encryption uses XTS-AES-256. The keys required for XTS-AES-256 are generated using a NIST SP800-90A DRBG in CTR_DRBG mode with predictive resistance and health checks always on.

  1. Are Snapshot copies encrypted?

Yes.

  1. Are FlexClone volumes encrypted?

Yes. NetApp FlexClone® volumes are encrypted with the same key as the original volume.

  1. Can FlexClone volumes be encrypted with a different encryption key than the original volume?

Yes. The FlexClone volume must first be split from the original volume. A warning message tells the user to perform a volume move to give the split clone a new encryption key. After the user performs the volume move, the split clone has a new encryption key.

  1. Are data volume encryption keys reused?

No. With NVE, each data volume key is unique to that volume. With NAE, data volumes share unique aggregate data encryption keys.

  1. Can I assign a specific key to a data volume?

No. For NVE, encryption keys are automatically generated when the volume is created. For NAE, encryption keys are automatically generated when the aggregate is created.

  1. If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?

No. For NVE, the destination volume is its own volume and has its own unique key.  For NAE, the destination volume is its own volume and has its own unique aggregate keys.

  1. Does NVE and NAE encrypt data in flight?

No. NVE and NAE are specifically for data that is stored on disk. Another feature, Cluster Peer Encryption (CPE) is introduced in ONTAP 9.6 to encrypt data in flight for SnapMirror, SnapVault, and FlexCache.

  1. If I use SnapMirror to mirror my encrypted volume to a different cluster, is the data encrypted in flight or over the wire by NVE or NAE?

No. NetApp SnapMirror® sits above the NetApp WAFL® layer, and thus the data sent by SnapMirror is not encrypted by NVE or NAE. For more information, see the solution overview in section 1.1.

  1. Are encryption keys replicated across clusters?

No. Encryption keys apply only to a single cluster.

  1. Where are data volume encryption or aggregate encryption keys stored?

With the onboard key manager, data volume encryption keys and aggregate keys are stored in the WAFL metadata, which is not accessible by the user, and the volume location database (VLDB). With an external key manager, data volume encryption keys and aggregate keys are stored directly on the KMIP server.

  1. What is the Trusted Platform Module (TPM)?

The TPM is a chip on a FAS or AFF storage controller motherboard.  Starting with ONTAP 9.8, platforms with TPM chips and a TPM license will generate and seal the node key encryption key to protect the highest level of the OKM keying hierarchy.

  1. Can my source volume be encrypted and my SnapMirror target be unencrypted, or conversely?

Yes. The source volume and destination volume can have different encryption settings. Source and destination volumes can be a mixture of NVE, NAE, or plaintext volumes.

  1. Are NVE and NAE FIPS 140-2 validated?

NVE and NAE are FIPS 140-2 compliant. The algorithms have been put in place so that NVE and NAE or-more precisely, the CryptoMod used by NVE, NAE and OKM-is FIPS 140-2 level 1 validated.

  1. Does NVE and NAE provide a special mechanism or procedure to protect against or handle data spills?

No. Because of wear-leveling in solid-state drives (SSDs), sensitive data that was on a disk before NVE and NAE were enabled could still be present. However, with external key servers introduced in NetApp ONTAP 9.3, volume keys are external to the cluster. This problem is not unique to NetApp; any vendor using SSDs has this same problem.

  1. How can I use NVE to nondisruptively remediate data spillage?  As an example, I want to ensure deletion of personal data for GDPR "right-to-erasure."

Use NVE secure purge to cryptographically shred deleted files on NVE volumes by moving good files and deleting the key used to encrypt infected files. See the NetApp Encryption Power Guide for details. NAE volumes do not support secure purge.

Configuration
  1. How do I encrypt a new data volume?

See the NetApp Volume Encryption Power Guide.

  1. Can I encrypt existing data volumes?

Yes. You can do so by performing a volume move. For more information, see the NetApp Volume Encryption Power Guide.

  1. Can I encrypt an existing data volume in place (without a volume move)?

Yes. Starting with NetApp ONTAP 9.3, a NVE volume can be encrypted in place with the volume encryption conversion start command. However, to decrypt a volume, a volume move is still required.

  1. Can I encrypt an existing volume in place with NAE in ONTAP 9.6?

No. You need to do one of the following things:

  1. Create a new NAE aggregate with storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true and move volumes to it by either specifying encrypt-destination or encrypt-with-aggr-key. As volumes are added, you start to realize aggregate deduplication space savings.
  2. Make sure every volume in the aggregate is an NVE volume (no plain text volumes are supported on an NAE aggregate). After that is done, NAE can be enabled on the aggregate with storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true. Then move the NVE volumes to the same aggregate with volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key true.

Note: Both of these options require enough free space to create a new aggregate or enough free space in the existing aggregate to complete the volume move.

For more information, see the NetApp Volume Encryption Power Guide.

  1. How do I realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?

Perform the following steps:

  1. Enable cross-volume-background-dedupe on all NAE volumes with volume efficiency modify -vserver <vserver_name> -volume <vol_name> -cross-volume-background-dedupe true
  2. Enable cross-volume-inline-dedupe on all NAE volumes with volume efficiency modify -vserver <vserver_name> -volume <vol_name> -cross-volume-inline-dedupe true
  3. Run volume-level background dedupe on all NAE volumes and wait for completion of all volumes with volume efficiency start -volume <vol_name> -vserver <vserver_name> -scan-old-data true -dedupe true and volume efficiency show
  4. Run cross-volume background dedupe with storage aggregate efficiency cross-volume-dedupe start -aggregate <aggr_name> -scan-old-data true and storage aggregate efficiency cross-volume-dedupe show
  1. How do I unencrypt an NAE volume?

Perform one of the following steps:

  1. Use another aggregate:
    1. Move the volumes to another non-NAE aggregate and convert them to plain text volumes. To do this, you would use the volume move commands with the parameter -encrypt-destination false -encrypt-with-aggr-key false.
  2. Use the same aggregate:
    1. Assuming you have space in the existing NAE aggregate, move the volumes to convert them from NAE to NVE (which NAE aggregates do allow) in the same aggregate. To do this, use the volume move command with the parameter -encrypt-with-aggr-key false.
    2. After all the volumes are all NVE and no NAE encrypted volumes exist, run the command to disable NAE on the aggregate aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false.  Make sure that no aggregate Snapshot copies exist, or it will fail.
    3. Move the NVE volumes to unencrypt them and convert from NVE to plain text with -encrypt-destination false.
  1.  How can I view the progress of the volume encryption conversion start command?

           Use the volume encryption conversion show -fields percentage-completed command.

  1.  Can I do a volume move while an active NVE volume encryption start is running?

Yes.  If volume encryption conversion show the status in phase 1, a volume encryption conversion pause must be issued and a volume move start with -encrypt-destination true will start the volume move with a new volume data encryption key. If the volume encryption conversion show displays the status in phase 2, a volume move start with -encrypt-destination true can be started without pausing.  All of this is true for a volume move on an active volume encryption rekey start.

  1. If I do a volume encryption conversion pause and a subsequent volume encryption conversion resume, will the conversion continue where it left off?

No. The conversion will start from the beginning.

  1. Is it possible to tune the volume encryption conversion process?

No.  The volume encryption conversion process runs single threaded per volume. ONTAP will give priority to data access operations over the volume encryption conversion process.

As the preference is given to data access over the encryption process, the conversion process may take a long time depending on how large the data set being
encrypted is. It is not possible to predict how long encrypting or decrypting a volume or aggregate will take.

  1. Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?

No, but it is it is recommended to have no more than 4 combined encryption conversions or encryption volume moves per node at the same time.

  1. Can I instantaneously delete an NVE volume encryption key without deleting the volume?

The volume encryption key is deleted with the volume until the volume's retention period expires. The retention period is a standard ONTAP volume feature. Until the retention period expires, the data remains encrypted on disk.

  1. Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes?

For an NAE volume, when the volume is deleted, nothing is done from the key perspective. The aggregate keys will continue to exist until the point there exists at least one volume of any type (NVE or NAE) in the aggregate. The aggregate keys are deleted upon last volume deletion after the retention period expires. If an NAE volume is created again, the aggregate keys are newly created again. These keys will be different than the set of keys that previously existed on this aggregate. 

  1. What do I do after the encrypted volume is created?

Nothing. ONTAP makes sure that the data with that volume is encrypted.

  1. Can I unencrypt a data volume?

Yes for NVE. For more information, see the NetApp Volume Encryption Power Guide .NAE aggregates cannot contain unencrypted volumes---they can only contain NVE or NAE encrypted volumes.

  1. Can I rekey an existing volume or have the encryption key changed for an encrypted volume?

Yes for NVE. For more information, see the NetApp Volume Encryption Power Guide. NAE does not support rekeying.

  1. Do I have to encrypt all of my data volumes with NVE?

No. NVE lets you choose which data volumes are encrypted.

  1. How do I confirm which volumes are encrypted?

The volume show command with the -is-encrypted true option displays a list of the currently encrypted volumes. For 9.6 and later, the volume show command with -encryption-type <none|volume|aggregate> will list the volumes that are  not encrypted, NVE encrypted, or NAE encrypted.

  1. How do I transition from the onboard key manager to an external key manager, or conversely?

If you are using NSE, you need to reset the authentication keys to the default manufacturer secure ID (MSID), 0x0. If you are using NVE, you need to unencrypt all volumes. If you are using NAE, you need to move all NAE or NVE volumes to a non-NAE aggregate as non-encrypted. If you're coming from OKM, delete the OKM configuration and create the external key manager configuration. Or, if you're coming from the external key manager, delete the external key manager configuration and create the OKM configuration. Finally, set authentication keys for NSE drives and encrypt required volumes with NVE. For details, see the NetApp Encryption Power Guide

  1. How can I require a prompt for the OKM passphrase at controller reboot?

You can opt to require the OKM passphrase by using the -enable-cc-mode true option with the security key-manager setup command. This can be turned on prior to moving a controller and disk shelves and turned off after the move is complete. Starting with ONTAP 9.6, the command is security key-manager onboard enable -cc-mode-enabled yes

  1. Why do I get error creating an NVE volume with -encrypt false when OKM initialized with -enable-cc-mode true?

When OKM is initialized with -enable-cc-mode true, you must encrypt new volumes.

  1. What are the circumstances where an external key manager is contacted by a node?

A node contacts the key manager when:

  1. Booting.
  2. Creating a key.
  3. At the request of a:
  1. security key-manager query command
  2. security key-manager restore command
  3. security key-manager show -status command
  1. What is the behavior when the external key manager is not accessible?

When:

  1. Booting
  • NVE system: encrypted volumes remain offline
  • NSE system: refuse to boot, see the NetApp Encryption Power Guide
  1. Creating a key: key is not created
  2. At the request of a:
  1. security key-manager query command: key IDs are shown if cache is filled
  2. security key-manager restore command: command will fail
  3. security key-manager show -status command: command will show unavailable
  1. What happens with NVE and NAE volumes if the external key manager is not available during node giveback?

The NVE and NAE volumes will be offline.

  1. Where can I download an NVE/NAE-capable image?

You can download an ONTAP image for release 9.1 or later from the NetApp Support site. For example, go to https://mysupport.netapp.com/NOW/download/software/ontap/9.1/download.shtml for ONTAP 9.1. (See Figure 2.)

Figure 2) ONTAP software download page


  

 

  1. What happens when I install an ONTAP non-NVE-capable release (for example, the version for restricted countries) over an ONTAP release that is NVE-capable?

If there are NVE volumes, the ONTAP installation should fail.

  1. How can I switch to an NVE/NAE-capable version (for example, the version for restricted countries) from a non-NVE/NAE-capable version?

Perform the following steps to upgrade to an NVE/NAE-capable version:

Download a data at rest encryption image from: ONTAP 9 Downloads  and make it available at a URL.

  • Use cluster image package get <-url text>
  • Use cluster image package show to view the package.
  • Use cluster image update -version <version> -nodes <nodes>
  • Use cluster image show-update-progress (When complete, a reboot takes place)
Performance
  1. What is the performance impact of NVE and NAE?

It depends on the customer workload, the number of active encrypted data volumes, the platform, and the disk type being used.

  1. Do certain platforms perform better with NVE and NAE?

Yes. Platforms with higher core counts perform better with NVE. In certain situations, on the higher end, the performance impact of NVE is negligible or unobservable. For example, a NetApp FAS8080 is less affected than a FAS8040 for the same workload and the same number of active encrypted data volumes.

  1. Is there a performance difference between SSDs and HDDs while using NVE and NAE?

Volumes residing in SSDs are typically placed there because of the desire for extremely low latencies. NVE and NAE extends the path length for each piece of data so that it can be noticed in some workloads and operating conditions. The number of IOPS at a given latency can be less when NVE and NAE runs on a NetApp All Flash FAS system, for example. For volumes residing in HDDs, the bottleneck in that system is the disk, and there should be little to no impact with NVE and NAE.

  1. Is there an impact on nonencrypted volumes?

The impact of NVE and NAE comes from extending the processing for the encrypted volumes. Unencrypted volumes should remain unaffected while operating during normal conditions.

  1. What if I want to enable NVE or NAE on an existing system? How do I gauge the impact?

Use the headroom capability on the system as is (no encryption) to note where the existing performance is. Then, add an NVE or NAE volume (or convert an existing volume) and use the headroom capability once more to see what changes. Remember that NVE is per volume; therefore, you can encrypt or create one at a time based on the headroom and impact.

  1. To prevent encryption from affecting nonencrypted volumes, a limited number of CPU cores are dedicated to encryption. What happens if the encryption cores are overloaded?

To prevent overload, NVE and NAE takes advantage of AES-NI in Intel chipsets for encryption acceleration. If the offload is saturated, the impact will be seen in IOPS.

Interoperability
  1. Can I use NVE and NAE with MetroCluster?

Yes. NVE and NAE are the only generally available data-at-rest encryption option for NetApp MetroCluster.

  1. Can I use NVE and NAE with ONTAP Select?

Yes. NVE and NAE are the only generally available data-at-rest encryption option for NetApp ONTAP Select.

  1. Can I use NVE and NAE with NetApp FlexArray® software?

Yes. As long as the controller supports NVE and NAE, you can use NVE and NAE.

  1. Can I use NVE and NAE with Cloud Volumes ONTAP?

Yes for NVE. Cloud Volumes ONTAP is supported starting with ONTAP 9.5. NAE is not currently supported with Cloud Volumes ONTAP.

  1. Is NVE and NAE supported for NetApp Flash Cache cards?

Data on the Flash Cache™ cards is encrypted by the same CryptoMod used by NVE and NAE.

  1. Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?

Yes. Data in Flash Pool™ caches is encrypted by NVE and NAE.

  1. Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?

Yes. Starting with ONTAP 9.2, SnapLock software and ONTAP FlexGroup volumes are supported. SnapLock is supported for new SnapLock volumes and starting with ONTAP 9.8, existing SnapLock volumes can be encrypted with a volume move. Existing SnapLock volumes cannot encrypted in place, or rekeyed in place.

 

 

  1. What are the restrictions with FlexGroup volumes and NAE?

The following restrictions are for FG create, rekey/conversion, and expand:

  • FG create
  • Encrypted volume create operation will be allowed only if all the destination aggrs are of same encryption-type (NAE or non-NAE), Mix is not allowed.
  • Plain-text FG volume create is not allowed on NAE-aggrs.
  • NVE volume can be created on mix of NAE aggr and non-NAE.
  • If “-encrypt true” is specified, then all the constituent volumes will be of type NVE. Destination aggrs can be of mix of NAE aggr and non-NAE.
  • “-encrypt false” is not supported.
  • If nothing is specified, then it wil create NAE volumes on desitnation NAE aggrs.
  • FG rekey/conversion
  • If any of the constituent volume is of NAE type, then inplace rekey/conversion is not allowed. The constituent volumes of NAE type have to be converted to the volume type of NVE rest through vol-move. Only then rekey/conversion is allowed.
  • FG expand
  • Adding more members to the existing FG(NAE aggr) is allowed only if new dest aggregate is NAE. It will fail if new dest aggr is non-NAE.
  1. Are external (KMIP) key managers compatible with NVE and NAE?

Yes. Starting with ONTAP 9.3, external key managers are compatible with NVE.

  1. Is NVE and NAE supported with backup applications?

Yes. NVE and NAE are independent of the backup targets or solutions. The data presented to the backup solutions is not encrypted.

  1. Does NVE and NAE support data partitioning (for example, ADP/ADPv2 and so on)?

Yes. NVE and NAE are independent of the data partitioning process because the volumes are established after the partitioning process is performed.

For more information, see the NetApp Volume Encryption Power Guide.

Additional Information

additionalInformation_text